Author Posts

March 13, 2017 at 1:22 am

Can someone direct me to a sample script on how to disable a clients remote desktop capability. Basically I am looking at the equivalent to disabling an entire OU of users that have the 'Deny this user permissions to logon on to Remote Desktop Session Host Server' from within the Active Directory Remote Desktop Services Profile Properties.

AD server is running PS version 5.

March 13, 2017 at 8:39 am

Hi Brian,

By default you have to enable users to use an RDS server. Can you give me some more detail about your situation?
With this information I would say, just make a group with the users that need to have access to your RDS servers and give this group access.


March 13, 2017 at 10:25 am

Hi Brian,

I've written you a script that will do this. You can enable or disable Terminal Services through WMI.

function Set-TerminalServices {
    param (
            Position = 0)]


    begin {
        # Convert True or False from string to Boolean value
        $boolValue = [System.Convert]::ToBoolean($EnableTerminalServices)

    Process {
        # foreach computer set value to either 'True' or 'False' for either enable for disable 
        foreach ($computer in $ComputerName){
            (Get-WmiObject -namespace 'root\CIMV2\TerminalServices' `
                -class Win32_Terminal `
                -ComputerName $computer).Enable($boolValue) | foreach {

                #Check for a return code of '0' for success    
                if(($_.ReturnValue) -eq [uint32]0) {
                    "{0} : {1} = {2}" -f $Computer, "Terminal Services Status", 
                        $(if ($EnableTerminalServices -eq $true) {"Enabled"} else { "Disabled"})
                else {
                    "{0} : {1}" -f $Computer, "[Error] Failed to update Terminal Service value"

    end{} # add for completeness

The script will allow you to pass computers to the pipeline and allow you to either enable or disable the Terminal Service.

'PC12345','Localhost' | Set-TerminalServices -Enable True

PC12345 : Terminal Services Status = Enabled
Localhost : Terminal Services Status = Enabled


'PC12345','Localhost' | Set-TerminalServices -Enable false

PC12345 : Terminal Services Status = Disabled
Localhost : Terminal Services Status = Disabled

Hope that helps.

March 13, 2017 at 3:12 pm

We run a hosted terminal server environment where a majority of the clients who have hosted applications, use remote capability either through RDP or Citrix to our terminal servers. However, a small portion of our users are email only and 'should' have remote capability turned off (shut off within Active Directory Remote Desktop Services Profile).

If I specify a client that is email hosted only, I want my script to iterate through all users within that OU to check this 'Deny' setting and check it if it is not checked.

I have experimented with a single account and I can get the status of the setting, but I am having trouble with the 'set' statement syntax.
However, I feel like I am taking the long way around since examples I have seen manipulate *TS* properties but I don't seem to have access to them as when I run the command get-aduser -identity bclanton | get-member.

$bclanton = get-aduser -Identity bclanton -Properties DistinguishedName
$bclantonDN = $bclanton | select -ExcludeProperty DistinguishedName

$bclantonUser = [adsi]"LDAP://$bclantonDN"

if (($bclantonUser.psbase.invokeget("AllowLogon")) -eq "1")
    Write-Output "Set to 1"
    Write-Output "Set to 0"

March 13, 2017 at 3:25 pm

Run one region at a time as needed, not the whole script. Edit region Input to enter your OU info..

#region Input
$OUName = [adsi]'LDAP://ou=PACRIM,dc=mydomain,dc=com'

#region View Terminal Services 'AllowLogon' of AD users in 'OUName'
$ADUsers = $OUName.psbase.get_children() # Get all users in the OU 
$myOutput = foreach ($ADUser in $ADUsers) {
    New-Object -TypeName PSObject -Property @{
        DN           = $ADUser.distinguishedName | select -First 1
        TSAllowLogon = ($ADUser.AllowLogon -eq 1)
    } | Select DN, TSAllowLogon 
$myOutput| FT -a  

#region Disable Terminal Services 'AllowLogon' for AD users in 'OUName'
foreach ($ADUser in $ADUsers) {

#region Enable Terminal Services 'AllowLogon' for AD users in 'OUName'
foreach ($ADUser in $ADUsers) {

March 13, 2017 at 4:01 pm

The 'setinfo()' method was my missing link.

After you created the new list of objects in the command:

$ADUsers = $OUName.psbase.get_children() 

How is one made aware of the 'setinfo()' method? In my example, I pipe the object

$bclanton.psbase | Get-Member

and I do not see this method.

March 19, 2017 at 10:39 pm

ONly issue with the above example is that it doesn't pull just User accounts but group accounts as well.

$ADUsers = $OUName.psbase.get_children()

[w2k8-dc2]: PS C:\Users\administrator.XXXX\Documents> $adusers

distinguishedName : {CN=Group-tptest,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=Group-tptest,ou=TPTest,ou=hosted,dc=XXXX,dc=local

distinguishedName : {CN=tptest1,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=tptest1,ou=TPTest,ou=hosted,dc=XXXX,dc=local

distinguishedName : {CN=tptest2,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=tptest2,ou=TPTest,ou=hosted,dc=XXXX,dc=local

distinguishedName : {CN=tptest3,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=tptest3,ou=TPTest,ou=hosted,dc=XXXX,dc=local

distinguishedName : {CN=tptest4,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=tptest4,ou=TPTest,ou=hosted,dc=XXXX,dc=local

distinguishedName : {CN=tptest6,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=tptest6,ou=TPTest,ou=hosted,dc=XXXX,dc=local

distinguishedName : {CN=tptest7,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=tptest7,ou=TPTest,ou=hosted,dc=XXXX,dc=local

distinguishedName : {CN=tptest8,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
Path              : LDAP://CN=tptest8,ou=TPTest,ou=hosted,dc=XXXX,dc=local

March 21, 2017 at 9:41 am

$ADUsers = $ADUsers | where { $_.Path -notmatch 'group' } # excludes group accounts